XPCTRA financial malware leaves no stone unturned

A Trojan that has previously been only stealing users’ banking credentials has been modified to do much more than that.

This new variant, dubbed XPCTRA, can also steal users credentials for bitcoin cryptocurrency wallet Blockchain.info, online e-payment service PerfectMoney, e-wallet provider Neteller, as well as email credentials.

The XPCTRA financial malware threat

The threat was discovered and analyzed by Morphus Labs CRO (and SANS ISC incident handler) Renato Marinho, who says that the sample he analyzed had not been submitted to VirusTotal before.

He spotted the malware being delivered via links in spam emails. The link supposedly leads to a bank bill in PDF form, but actually downloads XPCTRA’s dropper component. The dropper contacts the C&C server and downloads the other malware parts bundled in an executable named idfptray.exe.

The final payload first moves to assure its persistence in the system, and changes firewall policies to allow the malware to communicate unrestrictedly with the Internet.

It then instantiates a local HTTP Proxy and a root certificate for it, then changes installed browsers’ settings to point to it, so that it can intercept user access to Web sites of various financial institutions and capture user credentials. It also captures user credentials for a variety of email services (Microsoft Live, Hotmail, etc.).

The stolen credentials are sent to the crooks via an unencrypted C&C channel, and the malware finally sets up an encrypted channel to allow the victim’s system to be controlled remotely by the attackers. The RAT capability was added to the malware via the open source QuasarRAT for Windows.

Finally, the malware is also capable of sending out spam.

Protection advice

This particular variant seems to have been designed to target users in Brazil, but it doesn’t mean that there aren’t other variants or similar malware that targets users in the rest of the globe.

Cyber crooks have reacted to the increased use of digital currencies and e-wallets by creating threats aimed at compromising and emptying the latter.

“Just as customers of traditional financial institutions have faced over the years the most diverse fraud attempts and had to protect themselves, so should digital money users. Give preference to services that offer a second authentication factor for transactions and be sure to enable it,” Marinho advised.